Software & AppsOperating SystemLinux

How To Create Restricted SFTP User Accounts on Ubuntu

Ubuntu 6

Creating restricted SFTP user accounts on Ubuntu is an essential task for system administrators who want to limit user access to certain directories. This article will guide you through the process of creating such accounts using OpenSSH Server.

Quick Answer

To create restricted SFTP user accounts on Ubuntu, you need to install and configure OpenSSH Server. After that, you can create a new group for SFTP-only users, create a new user and add them to the group, set the user’s home directory, and restart the SSH service. This setup allows users to access only their home directory and prevents them from executing commands on the server.


Before we start, ensure that you have the following:

  • An Ubuntu system.
  • Sudo or root access to the system.

Installing OpenSSH Server

OpenSSH server is a free utility for remote operations. To install it, open your terminal and run the following command:

sudo apt-get install openssh-server

This command uses apt-get, the package handling utility in Ubuntu, to install the OpenSSH server.

Configuring OpenSSH Server

After installing OpenSSH, we need to configure it to restrict user access. The main configuration file for OpenSSH is located at /etc/ssh/sshd_config. Open this file using a text editor such as nano:

sudo nano /etc/ssh/sshd_config

In this file, find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to Subsystem sftp internal-sftp. This change sets the SFTP server to use the internal-sftp subsystem, which allows for chroot operations.

Next, add the following lines at the end of the file:

Match Group sftp-only
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Here’s what each line does:

  • Match Group sftp-only: This line matches users who are part of the sftp-only group.
  • ChrootDirectory %h: This line restricts users to their home directory (%h).
  • ForceCommand internal-sftp: This line forces the connection to use the SFTP protocol.
  • AllowTcpForwarding no: This line disables TCP forwarding, which is not needed for SFTP.

After making these changes, save and close the file.

Creating SFTP-Only Group and User

Now, we will create a new group for SFTP-only users:

sudo addgroup sftp-only

Next, create a new user and add them to the sftp-only group:

sudo adduser sftpuser
sudo usermod -G sftp-only sftpuser

In these commands, sftpuser is the username of the new user. You can replace it with any username you prefer.

Setting the Home Directory

To restrict the user’s access to their home directory, set the home directory as follows:

sudo usermod -d /path/to/home/directory sftpuser

Replace /path/to/home/directory with the actual path to the user’s home directory.

Restarting the SSH Service

Finally, restart the SSH service for the changes to take effect:

sudo service ssh restart


You have now successfully created a restricted SFTP user account on Ubuntu. This user can only access their home directory and cannot execute any commands on the server. This setup is ideal for sharing files securely with external users.

Remember to replace sftpuser and /path/to/home/directory with the actual username and path in your environment. Always test the setup before sharing the details with the end user.

For more information on OpenSSH, visit the official OpenSSH documentation.

What is SFTP?

SFTP stands for Secure File Transfer Protocol. It is a network protocol that allows for secure file transfer and remote file management over a secure SSH connection.

Why would I want to create restricted SFTP user accounts?

Creating restricted SFTP user accounts allows you to limit user access to specific directories, providing an additional layer of security. This is useful when you want to share files securely with external users or restrict access to sensitive data.

Can I create multiple restricted SFTP user accounts?

Yes, you can create multiple restricted SFTP user accounts by following the steps outlined in the article for each user. Each user will have their own home directory and restricted access to their respective directories.

How can I change the home directory for an SFTP user?

To change the home directory for an SFTP user, you can use the usermod command with the -d option followed by the desired directory path. For example, sudo usermod -d /new/home/directory sftpuser will change the home directory for the user sftpuser to /new/home/directory.

Can restricted SFTP users execute commands on the server?

No, restricted SFTP users cannot execute commands on the server. They are limited to file transfer and remote file management operations within their designated home directory. The configuration in the article ensures that the user’s SSH session is limited to the SFTP protocol.

Leave a Comment

Your email address will not be published. Required fields are marked *